collapse

Search


User Info

 
 
Welcome, Guest. Please login or register.
Did you miss your activation email?

Author Topic: ISE1.3 3rd party Certificate  (Read 4262 times)

Offline ozone007

  • Cisco Newbie
  • *
  • Posts: 8
  • Reputation: 0
    • View Profile
  • Certification: CCNA
ISE1.3 3rd party Certificate
« on: April 19, 2015, 03:54:10 AM »
Hello guys its always Nightmare when it comes to Certificate for me .

Can Anyone please explain how we can integrate 3rd party Cert for Guest on ISE 1.3 ,
My client requested to install 3rd party Go Daddy Cert i told him to recheck with Go Daddy Support because i found one Blog Post By Labmimutes saying that SAN filed is Not Supported , I have some time to learn how it works can anyone please explain me or direct me at somewhere where i can get more information .

Edit : added Link for reference 
You are not allowed to view links. Register or Login
« Last Edit: April 19, 2015, 03:57:51 AM by ozone007 »

Offline MC

  • Global Moderator
  • Cisco Guru
  • *****
  • Posts: 379
  • Reputation: 606
  • CCIE x3 (RS,Sec,SP)
    • View Profile
  • Certification: CCIE
Re: ISE1.3 3rd party Certificate
« Reply #1 on: April 21, 2015, 12:19:52 AM »
It depends on what type of cert you want to use. If you are using an identity cert (ie. one cert per node), you can get that from any cert provider. For guest access, assuming you have more than 1 node, wildcard cert is highly recommended. However, as explained in the article you referenced, ISE wildcard cert is in different format than a regular cert where wildcard attribute is actually located under SAN and not CN so you need to make sure your cert provider can accommodate that.

Offline clyons544

  • Cisco Newbie
  • *
  • Posts: 3
  • Reputation: 0
    • View Profile
  • Certification: CCNA
Re: ISE1.3 3rd party Certificate
« Reply #2 on: June 04, 2015, 02:33:45 PM »
I was just wondering if you can explain this a little more.  I am running a 6 node deployment with Wildcard certificate from DigiCert which was the easiest to work with so far.  The Issue I am having is with EAP-TLS Authentication for the wireless clients.  We are using GPO to push out the SSID and User/Machine Certs from the internal CA authority.  Now when I configure a device no receiving the GPO and just use PEAP and validate the Digicert Root it work fine, when I using Smartcard I get an error "12514 EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain"



right now I have EAP Authentication selected for the Digicert, do I need to change this and install a wildcard cert issued from the internal CA?  how would BYOD work using the internal CA of ISE work in that case?

Offline MC

  • Global Moderator
  • Cisco Guru
  • *****
  • Posts: 379
  • Reputation: 606
  • CCIE x3 (RS,Sec,SP)
    • View Profile
  • Certification: CCIE
Re: ISE1.3 3rd party Certificate
« Reply #3 on: June 05, 2015, 09:10:50 PM »
PEAP only requires client to trust CA that signed server cert, in this case is DigiCert. EAP-TLS/Smartcard on the other hand also requires server to trust the CA that signed client cert, in this case is your corporate internal CA. Can you check if you have imported internal root CA cert to ISE as it is complaining about it not trusting client cert chain? If it is not there, you will need to import it.
BYOD with ISE internal CA works under the same concept. That only different is, ISE by default already have its internal root CA cert in its cert store, hence automatically trust any client cert the internal cert will be issuing to onboarding devices.

Offline clyons544

  • Cisco Newbie
  • *
  • Posts: 3
  • Reputation: 0
    • View Profile
  • Certification: CCNA
Re: ISE1.3 3rd party Certificate
« Reply #4 on: June 09, 2015, 12:07:59 PM »
Thanks MC,

I think I discovered the issue.  I do have installed the Root and Intermediate in the Trusted Root on ISE from the Internal CA.  The issue is that the ISE server is in the clients hbXYZ.com domain, the users will be authenticating from two different forests newyork.hbXYZ.net and root-domain.org.  TAC is saying to create another CSR within the newyork.hbXYZ.net domain for EAP authentication and have it signed by the Internal CA.

Offline MC

  • Global Moderator
  • Cisco Guru
  • *****
  • Posts: 379
  • Reputation: 606
  • CCIE x3 (RS,Sec,SP)
    • View Profile
  • Certification: CCIE
Re: ISE1.3 3rd party Certificate
« Reply #5 on: June 10, 2015, 12:55:02 PM »
That does not make sense though. ISE should be able to authenticate client cert regardless of the client domain as long as ISE trusted all the Root and Intermediate CA tht signed client cert, which is the problem being indicated on the screenshot you provided. Authorization, however, might become a problem if you do not have ISE integrated to the other two domains where the users are located so make sure that you do either through the forest trust or separate AD connection.

 

Related Topics

  Subject / Started by Replies Last post
4 Replies
2326 Views
Last post February 21, 2014, 10:32:06 PM
by MC
2 Replies
2489 Views
Last post November 22, 2013, 01:09:20 PM
by MC
7 Replies
4099 Views
Last post February 15, 2015, 11:22:24 PM
by MC
0 Replies
1401 Views
Last post October 22, 2015, 01:07:45 AM
by sherief
5 Replies
2499 Views
Last post July 17, 2016, 10:19:31 PM
by MC

SimplePortal 2.3.5 © 2008-2012, SimplePortal